Krebs on Security

In-depth security news and investigation

Botnet Enlists Firefox Users to Hack Web Sites

An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for security vulnerabilities, an investigation by KrebsOnSecurity has discovered.

The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.

The “Advanced Power” botnet installs itself as a legitimate Firefox extension. The malware looks for vulnerabilities in Web sites visited by the victim.

SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases.

Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.

The fraudulent Firefox add-on.

The malicious code comes from sources referenced in this Malwr writeup and this Virustotal entry (please don’t go looking for this malware unless you really know what you’re doing). On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant” (this bogus add-on does not appear to be the same thing as this add-on by the same name). The malicious add-on then tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities.

Alex Holden, chief information security officer at Hold Security LLC, said the botnet appears to have been built to automate the tedious and sometimes blind guesswork involved in probing sites for SQL vulnerabilities.

“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” Holden said. “You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”

Holden said he believes the authors of this botnet may be natives of and/or reside in the Czech Republic, noting that a few transliterated text strings in the malware are auto-detected by Google Translate as Czech.

SQL injections are some of the most common Web site attacks partly because these vulnerabilities are extremely widespread. According to a report (PDF) released earlier this year from Web site security firm Imperva (full disclosure: Imperva is an advertiser on this site), while most Web applications receive four or more attack campaigns each month, some Websites are constantly under attack — particularly Web apps at retail sites.

Sites browsed by hacked PCs (left) and SQL injection flaws found by the botnet (masked, right)

Botnets like this one are a great and classic example of how compromised systems are nearly always used to chip away at the defenses of others online. Interestingly, there is a legitimate add-on for Firefox that can help passively detect SQL injection vulnerabilities on sites you visit. Site owners looking for a free tool to scan their sites for SQL vulnerabilities should check out SQLmap, an open source penetration testing tool.

Update, 6:17 p.m. ET: Mozilla has issued a statement saying that it has “disabled the fraudulent Microsoft .NET Framework Assistant add-on used by the Advanced Power botnet,” by adding the bogus add-on to its block list. Mozilla said Firefox gets a message during a check for blocked add-ons once a day — while the browser is running — and that the block does not require any user actions to take effect.

This entry was posted on Monday, December 16th, 2013 at 12:01 am and is filed under A Little Sunshine, Web Fraud 2.0.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

51 comments

Hi Brian,
can you tell us how this addon looks like in the firefox addon list? For me there is such an addon but it could also be the legimitate one saying that it adds click once support. It also has the version number 0.0.0 which looks strange but according to (http://support.microsoft.com/kb/963707/en) thats okay.
Thanks!

Note that in Firefox, when you go to Tools>Add-ons, “Microsoft .NET Framework Assistant 0.0.0” is in Extensions, not Plugins.

Also, Brian, could you be a bit clearer about the link you provided? You said, “Know that the link referenced there is a lie; it’s a legitimate Microsoft domain, but it has nothing to do with this plugin.” Do you mean the link you provided shows how the imposter looks or do you mean that the link shows the real Microsoft plugin so it has nothing to do with the malware of the same name? Your image shows “Microsoft .NET Framework Assistant 0.1,” not “0.0.0”. Is “0.1” a true Microsoft upgrade to the real Microsoft extension or is either “0.0.0” or “0.1” a tip off that one has the malware? Note that your image has both “Disable” and “Remove.” My Firefox “0.0.0” has only “Disable”. Is that a clue that one has one or the other?

I’m going to assume this MS Framework can run on other browsers. I don’t see Framework listed in my browser add on list; however, I do have Silverlight running as a browser add on. And as per the Microsoft website, “Silverlight is a free plug-in, powered by the .NET framework and compatible with multiple browsers”.

No idea. But when I had a look at the back end system for this botnet, I only saw what that screenshot shows: page after page of mozilla firefox icons. I have nothing to suggest any other browsers were impacted.

If the link is correct than last modification of windowsclient.com.xpi was made by Thu 30 May 2013.
Also, the algorith generating domain names is not working as expected (advpmaster122013.org,advpmaster112013.org,…) or is just the software is too old.
Also, there is an executable(.exe) on virustotal and malwar and the extension is xpi.
And to finish, I can see a few interesting comments like:
…callBack(null); return;}// sdelat zapis ob oshibke
…// sent request to verify parametr
that indicate that the autor is most probably from russia.

This is what I would do. Look in Control Panel -> Programs for “Microsoft .NET Framework Assistant” and uninstall it if it exists. Save your list of Firefox bookmarks to a temporary file. Uninstall Firefox via Control Panel -> Programs. Download CCleaner from piriform.com, install it (don’t accept the free offer of Chrome), run the Registry cleaner, and run the regular Cleaner. Download the free version of Malwarebytes from malwarebytes.org, install it (don’t accept the free trial), and do a system scan with it (take the defaults if malware is found). Then reinstall Firefox and only add back the add-ons you trust, e.g. No Script.

Please don’t use CCleaners registry cleaning feature. As a matter of fact, don’t use ANY registry cleaners, unless you want to break your computer. The only thing you should be doing to your registry is backing it up. Really.

I use CCleaner on all of my PCs, as well as those of my customers. I have never had a problem and I do this for a living. CCleaner gives the option of making a backup of the registry so one can always revert back to the previous version. Really.

So … if you used a registry cleaner on a client computer and it broke something (fairly likely) … how would you know?

Registry cleaners have no magical way of telling what registry entries are “no longer needed”. They just guess. If they guess wrong, well, something breaks, but the user has no way of knowing what caused the problem, so that’s all good … for the people selling the snake oil, that is.

I would run a few tests before I returned the PC back to the customer. These would not be shots in the dark, but educated guesses based on what was removed. And if the customer complained, I would run back to fix it. But that’s never happened.

“Registry cleaners have no magical way of telling what registry entries are ‘no longer needed’. They just guess.”

Wrong. They compare the contents of the registry with what is installed and what directories are present.

I do not know if all registry cleaners are trustworthy. Perhaps your comments are valid for the other ones. I only know about CCleaner.

Blindly running registry “cleaners” is rather irresponsible. What is it “fixing”?
If there is a problem with the registry, then you fix that specific problem, otherwise there is no need to mess around with the registry. Sure you may “clean” your registry and not have a problem, but you run a huge risk when you blindly go in there and delete things. You may not realize a problem until weeks later when you run a program that is used infrequently.
While you might not break the machine running a “registry cleaner” the risk is not worth it. Eventually that risk will become a real problem.

@onlinekook “Blindly running registry ‘cleaners’ is rather irresponsible. What is it ‘fixing’?”

First, I never stated that anyone should run them “blindly”; that is your word. CCleaner should be run if a known problem exists. You do know that malware hides in the registry, right?

Second, what is your alternative solution for malware in the registry? You seem to be suggesting that we should just leave it there, which will allow the malware to remain. Or perhaps you are suggesting that novices use regedit, which is irresponsible advice.

Third, as I stated before, CCleaner gives an option of making a backup before cleaning so users can revert back to the original configuration. I would always recommend making a backup.

“Eventually that risk will become a real problem”

I run CCleaner many times per week on different systems and have yet to see a problem.

I also found “Microsoft .NET Framework Assistant 0.0.0″ on my Firefox 26.0. It was enabled but I disabled it. There does not appear to be any means of removing it however. Can you expound further on how to find out if this is malware and how it can be removed. Thank you.

NOTE: In later editions of Firefox it is only the above key that needs to be deleted, there is no corresponding entry in about:config. Restarting Firefox after deleting the key will no longer display this add-on in add-ons

Looking at the VirusTotal link, at 33 / 49 this version of the thing is pretty much dead if someone at least has a even mediocre AV. (but also know they probably pump out newer versions of this thing too)

How it’s installed is a pretty common technique I’ve seen, you know the old “Hey install this plugin to view this content click here! Adobeflash.exe”.

At this link:http://support.microsoft.com/kb/963707/en
noted by Intoy (first post above)
Edited registry and removed the add on. Mine was 0.0.0 as well. Piece of cake deleting the value in registry. Figure I’ll reinstall if I ever need it.

Jerry, version 0.0.0 is the real add-on by the same name, produced by Microsoft – not the malware Brian talks about. In fact, 0.0.0 is the dummy version for people who opted out of ClickOnce functionality, it doesn’t do anything. Nothing wrong with removing it completely of course.

I couldn’t resist peeking into the source code of this add-on. Two things that stuck out to me:

1. Mozilla’s blacklist is unlikely to have much effect because the infected browsers are extremely outdated – the add-on is only marked compatible with Firefox 2.0 to 6.0a1. “Compatible by default” was only enabled with Firefox 10 so that add-on won’t run in any newer Firefox version. Also, there is no custom update URL that could push a newer version of this add-on or override compatibility information.

2. I found three non-English comments, Google Translate assumes one to be Czech, the other Slovenian and third is even considered to be Italian. This is pure nonsense of course because it only managed to translate a few words from the texts. In fact, these comments are quite clearly transliterated Russian, with a significant number of typos.

Maybe one last remark. Does anybody know the Extension ID of the malware? The real one from Microsoft is {20a82645-c095-46ed-80e3-08825760534b}. You get it from Help ->Troubleshooting information. Maybe the malware author also used this ID, but maybe not

I’m not certain that the malware is limited to old versions of Firefox. Sure, you couldn’t install it on current versions via the usual method, but then it isn’t meant to be installed via the usual method – couldn’t a malicious installer trick Firefox into accepting an “outdated” extension?

I think you are right, I jumped to conclusions here. A third-party application would need to manipulate Firefox’ extensions database directly to change the compatibility information for that add-on. Yet disabling the opt-in screen for externally installed add-ons (something that malware is bound to do) requires doing exactly the same thing, so it is possible that somebody has actually done that. Still not very likely however – why go through all the trouble instead of simply setting compatibility info correctly in the first place?

Perhaps to make it that little bit harder for white hats to diagnose, or just in the hopes of confusing people? I don’t know, perhaps they really are only targeting old versions – maybe the vulnerability they used to install was only present in those versions? – but I don’t think we can safely conclude that without more information.

Hey! Do not start posting stuff like this! We need to make sure we keep screaming how insecure Java is and how the internet is a pristine fortress of impenetrable magic that will solve our deepest, fantastical desires!

The important sentence is “It’s not clear yet how the initial infection is being spread” – the initial infection quite possibly happens through a Java vulnerability. The people affected didn’t update Firefox in more than two years, they likely didn’t update Java either (updating Firefox is much easier). There, now you have it.